HIPAA Compliance for Medical Practices
68.5K views | +1 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

HIPAA Breach Notification Rule

HIPAA Breach Notification Rule | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Breach Notification Rules under the HITECH and GINA Act were issued on January 25, 2013, resulting in modifications to HIPAA Privacy, Security, and Enforcement. This is commonly known as the Omnibus Rule. The Omnibus Rule mandates covered entities (CEs) and business associates (BAs) provide the required HIPAA breach notifications following an impermissible use or disclosure of protected health information (PHI).

What is a HIPAA Breach?

A HIPAA breach notification may be required because of an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information (PHI) of an individual.  An impermissible use or disclosure is presumed to be a breach unless the CE or BA demonstrates that there is a low probability that the protected health information has been compromised.

A risk assessment must include consideration of at least the following factors:

  • The extent and nature of the PHI involved (i.e. types of identifiers and likelihood of re-identification);
  • The unauthorized person who used the protected health information or to whom the disclosure was made;
  • If the PHI was viewed and/or acquired;
  • To what extent the risk to the PHI has been mitigated.

How Does a HIPAA Breach Notification Work?

(1) HIPAA Breach Notification Rule: Following a breach of unsecured PHI, CEs must notify affected individual(s) and the Secretary of Health and Human Services (HHS).”  In instances where the breach affects more than 500 residents of a State or jurisdiction, notice must be provided to prominent local media.  In addition, BAs must notify CEs that a breach has occurred.

Individual HIPAA breach notifications must occur without delay, but not later than 60 days from the date of the breach discovery.  A breach is considered to be “discovered” when at least one employee of the entity knows of the breach.  This does not include the person responsible for the breach.

(2) Covered Entities HIPAA Breach Notification: Covered entities are required to notify affected individuals following the discovery of a breach of unsecured PHI. The CE must provide the individual notice in written form by first-class mail.  Notices by email are permissible if the affected individual has agreed to receive notices electronically.

What about Business Associates?

(1) Business Associates HIPAA Breach Notification:  If a breach of unsecured PHI occurs by a business associate, the BA must notify the CE following the discovery of the breach.  A business associate must provide notice to the covered entity no later than 60 days from the day of discovery of the breach.  BAs are required to provide the identification of each individual affected by the breach.  The covered entity is responsible for ensuring the individuals are notified of a breach by a business associate even if the covered entity is charged with the responsibility of providing individual notices to the business associate.

(2) Out-of-date Information: If the CE or BA has insufficient or out-of-date information for more than 10individuals, the CE must provide a substitute individual notice by one of two methods.  It may post the notice on the home page of its website for at least 90 days.  Or it may provide the notice in major print or broadcast media where the affected individuals reside. This notice must include a toll-free number that remains active for at least 90 days.  If the CE or BA has insufficient or out-of-date information for less than 10 individuals, the covered entity may provide a substitute notice by an alternative form of written, telephone, or other means of notification.

HHS Wall of Shame

As required by section 13402(e)(4) of the HITECH Act, the Secretary posts a list of HIPAA breaches of unsecured protected health information affecting 500 or more individuals. These HIPAA breaches can range from a laptop theft to a hacking/IT incident.In 2015 there were over 113 million breaches of individual records reported, and the number of incidents related to “hacking” and “IT incidents” have doubled since 2014.   And this only includes breaches involving 500 or more individuals!

Most recently, St. Joseph Health (SJH) has agreed to settle potential violations of HIPAA Privacy and Security Rules following the report that files containing ePHI were publicly accessible through internet search engines from 2011 until 2012.  The public had unrestricted access to PDF files containing the ePHI of 31,800 individuals, including patient names, health statuses, diagnoses, and demographic information.  SJH will pay a settlement amount of $2,140,500 and adopt a comprehensive corrective action plan.  This plan requires the organization to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff accordingly.

The HIPAA Security Rule’s specific requirements to address environmental and operational changes are critical for the protection of patient information. Entities must not only conduct a comprehensive HIPAA risk analysis, but must also evaluate and address potential security risks when implementing enterprise changes impacting ePHI.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Medical Device Cybersecurity - 4 Steps to Take 

Medical Device Cybersecurity - 4 Steps to Take  | HIPAA Compliance for Medical Practices | Scoop.it

As if the headlines today are not scary enough, now we have to be worried – very worried, it seems – about medical device cybersecurity!  Reports of hacking and other incidents related to medical device cybersecurity are all over the news lately.  Not only does it have a financial impact, but confidentiality and HIPAA issues come up immediately!  The first 6 months of 2017 have seen an inordinate number of cybersecurity meltdowns.   In addition, other HIPAA breaches and data leaks occur much too often.

  • In April 2017, hospitals in Europe were shut down by the WannaCry ransomware.  At least two contrast agent injectors were compromised as part of that attack.
  • In 2015, three hospitals suffered data breaches when devices were infected by malware.  The devices included a blood gas analyzer and a picture archiving and communications system (PACS) system.  In these instances, the malware made its way from the device to other systems in the hospitals, leaving the hospital facing a ransom demand to cleanse its systems.  And this happened even though the hospitals had firewalls, intrusion detection and other security tools in place!
  • In August 2017, the FDA approved a firmware patch to address cybersecurity vulnerabilities in 500,000 pacemakers manufactured by Abbott.  The problems were identified over a year ago!

 

Why are medical devices vulnerable to cyber attacks?

Most of the time, the medical device cybersecurity flaws are due to external software such as Windows.  Many devices have Windows operating systems as the interface to the persons operating the equipment.  Windows is also used to interface with electronic health record systems.  If the device is connected to the internet, a pathway exists for malware to infect the Windows software on the device.  Malware can then make its way to other connected devices or applications.

But as the pacemaker issue mentioned above shows, there can also be vulnerabilities in the devices themselves.  An investment firm lit a fire when it issued a report a year ago claiming most devices had little to no built-in cybersecurity measures.

What does the government advise about medical device cybersecurity?

Two government agencies are concerned about medical device cybersecurity.  The Food and Drug Administration (FDA) has principally been concerned about patient safety.  The Office of Civil Rights (OCR)  of the Health and Human Services Department (HHS) administers the Privacy and Security HIPAA rules.

In its focus on patient safety, the FDA did not focus much on the HIPAA security issues related to medical device cybersecurity.  The FDA expanded its view of medical device cybersecurity considerations with its Postmarket Management of Cybersecurity in Medical Devices guidance issued on December 28, 2016.  This non-binding guidance advises device manufacturers to consider several strategies for reducing medical device cybersecurity risks.

  • Maintaining robust software lifecycle processes that include monitoring third party software components for new vulnerabilities.
  • Understanding, detecting and establishing communication processes with users when vulnerabilities are recognized.
  • Adopting coordinated vulnerability disclosure policies and deploying mitigation measures that address risks.

The 4 things medical device users should do

First, ask vendors how they are implementing the FDA Postmarket Management Guidance.  In this day and age, there is really no excuse for not keeping third party software like Windows up to date.

Second, expand the information you keep in your inventory of medical devices to include several factors, including:

  • The risk of each device, e.g., use of third party software, connection to the internet, etc.
  • The type of data kept on the device, whether it is static or dynamic.
  • The security controls that exist on the device, e.g., encryption, use of passwords, etc.

Third, include medical devices with third party software in the periodic HIPAA Security Rule Risk Assessment you perform.

Fourth, keep a sharp eye out for communications about vulnerabilities of your medical devices – and for patches to firmware that can improve the resistance of devices to hacking.

Medical device cybersecurity is not a particularly glamorous issue, but paying attention to it is vital in this environment.  Hospitals have long had to keep electrical/electronic equipment safe to use around patients.  Cybersecurity is just another part of that culture of safety.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA and Email: there are rules

HIPAA and Email: there are rules | HIPAA Compliance for Medical Practices | Scoop.it

Email has been widely used by both business and the general public for much of the last twenty years, and reliance on it has found its way into the daily lives of millions.  Recently, email has become even more accessible with the introduction of the smartphone.  However, leave it to healthcare to throw a curve ball to this cozy relationship.  The fact is, HIPAA and email have long been at odds.

HIPAA Privacy and Security rules are concerned with email and the web in general

Across the board, healthcare providers are increasingly

  • using, or
  • are considering using, or
  • are being asked to use,

email to communicate with patients about their medical conditions.  If you find yourself described here, then it bears repeating that the Internet, and things like an email sent over the Internet, is not secure.  Although it is unlikely, there is a possibility that information included in an email can be intercepted and read by other parties besides the person to whom it is addressed.  And it’s that “possibility” that becomes the area of focus.

HIPAA and email can coexist … it’s a matter of understanding the rules

So what do the Privacy and Security rules allow – or prohibit – when it comes to HIPAA and email?

Under many of the HIPAA regulations, the standards call for reasonable safeguards, reasonable approaches, reasonable policies, etc.  But what is considered reasonable?  The Office of Civil Rights (OCR) of the Department of Health and Human Services includes several statements on its HIPAA FAQs page.  Notably …

“The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message.”

 

What if a patient initiates communications with a provider using email?  The OCR says:

“Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.”

 

Must providers acquiesce to use of email for communications with patients?

Note that an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a health care provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated.

 

The OCR also interprets the HIPAA Security Rule to apply to email communications.

“The Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI.

 The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.”

To summarize the rules that apply to HIPAA and email …

  • Email communications are permitted, but you must take precautions;
  • It is a good idea to warn patients about the risks of using email that includes patient health information (PHI);
  • Providers should be prepared to use email for certain communications, if requested by the patient, but must ensure they are not exposing information the patient does not want to be shared; and
  • Providers must take steps to protect the integrity of information and protect information shared over open networks.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.